Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Protect against calling http_csp_add() too late
If the CSP header is sent and then http_csp_add() is called, trigger error.

Fixes #21263
  • Loading branch information
vboctor authored and dregad committed Aug 27, 2016
1 parent f24a3e9 commit 9f35986
Showing 1 changed file with 22 additions and 2 deletions.
24 changes: 22 additions & 2 deletions core/http_api.php
Expand Up @@ -154,6 +154,11 @@ function http_content_headers() {
function http_csp_add( $p_type, $p_value ) {
global $g_csp;

if ( $g_csp === null ) {
# Development error, headers already emitted.
trigger_error( ERROR_GENERIC, ERROR );
}

if ( isset( $g_csp[$p_type] ) ) {
if ( !in_array( $p_value, $g_csp[$p_type] ) ) {
$g_csp[$p_type][] = $p_value;
Expand All @@ -170,6 +175,11 @@ function http_csp_add( $p_type, $p_value ) {
function http_csp_value() {
global $g_csp;

if ( $g_csp === null ) {
# Development error, headers already emitted.
trigger_error( ERROR_GENERIC, ERROR );
}

$t_csp_value = '';

foreach ( $g_csp as $t_key => $t_values ) {
Expand All @@ -181,6 +191,17 @@ function http_csp_value() {
return $t_csp_value;
}

/**
* Send header for Content-Security-Policy.
* @return void
*/
function http_csp_emit_header() {
header( 'Content-Security-Policy: ' . http_csp_value() );

global $g_csp;
$g_csp = null;
}

/**
* Set security headers (frame busting, clickjacking/XSS/CSRF protection).
* @return void
Expand Down Expand Up @@ -209,8 +230,7 @@ function http_security_headers() {
http_csp_add( 'style-src', "'unsafe-inline'" );
}

# Set CSP header
header( 'Content-Security-Policy: ' . http_csp_value() );
http_csp_emit_header();

if( http_is_protocol_https() ) {
header( 'Strict-Transport-Security: max-age=7776000' );
Expand Down

0 comments on commit 9f35986

Please sign in to comment.